adminbruno
/
docuseal
mirror of https://github.com/docusealco/docuseal
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '2cfa5533a2'
${ noResults }
docuseal/lib/abilities/submission_conditions.rb

89 lines
3.1 KiB
Raw Blame History

# frozen_string_literal: true
module Abilities
# Provides authorization conditions for submission access control.
# Only account users can access submissions (partnership users create templates).
# Supports partnership inheritance and global template access patterns.
module SubmissionConditions
module_function
def collection(user, request_context: nil)
return [] if user.account_id.blank?
submissions_for_user(user, request_context)
end
def entity(submission, user:, request_context: nil)
# Only account users can access submissions
return false if user.account_id.blank?
# User can access their own account's submissions
return true if submission.account_id == user.account_id
if submission.template_id.present?
template = submission.template || Template.find_by(id: submission.template_id)
return false unless template
return true if user_can_access_template?(user, template, request_context)
end
false
end
def submissions_for_user(user, request_context = nil)
accessible_template_ids = accessible_template_ids(request_context)
Submission.where(
'submissions.account_id = ? OR submissions.template_id IN (?)',
user.account_id,
accessible_template_ids
)
end
def accessible_template_ids(request_context = nil)
template_ids = []
# Add templates from partnership context (if provided via API)
if request_context&.dig(:accessible_partnership_ids).present?
accessible_partnership_ids = request_context[:accessible_partnership_ids]
partnership_ids = Partnership.where(external_partnership_id: accessible_partnership_ids).pluck(:id)
template_ids += Template.where(partnership_id: partnership_ids).pluck(:id)
end
# Add templates from global partnership (accessible to everyone)
if ExportLocation.global_partnership_id.present?
template_ids += Template.where(partnership_id: ExportLocation.global_partnership_id).pluck(:id)
end
template_ids.uniq
end
def user_can_access_template?(user, template, request_context = nil)
# User can access templates from their account
return true if template.account_id == user.account_id
# Check partnership context access
return true if partnership_context_accessible?(template, request_context)
# Check global partnership access
return true if global_template_accessible?(template)
false
end
def partnership_context_accessible?(template, request_context)
return false if request_context&.dig(:accessible_partnership_ids).blank?
return false if template.partnership_id.blank?
accessible_partnership_ids = request_context[:accessible_partnership_ids]
accessible_partnerships = Partnership.where(external_partnership_id: accessible_partnership_ids)
accessible_partnerships.exists?(id: template.partnership_id)
end
def global_template_accessible?(template)
ExportLocation.global_partnership_id.present? &&
template.partnership_id == ExportLocation.global_partnership_id
end
end
end
Reference in new issue View Git Blame Copy Permalink